CVE-2026-28136

Vulnerability

Overview

CVE-2026-28136 is an SQL injection vulnerability in the VeronaLabs WP SMS plugin for WordPress, affecting versions up to and including 6.9.12. The plugin fails to properly neutralize special elements used in SQL commands, allowing an attacker to inject arbitrary SQL queries into the database. This type of flaw is commonly exploited in mass campaigns targeting thousands of websites simultaneously [1].

Exploitation

The vulnerability can be exploited without authentication, as the SQL injection occurs in a publicly accessible endpoint. An attacker only needs to send a crafted HTTP request containing malicious SQL payloads. No special network position or user interaction is required, making it a low-barrier attack vector [1].

Impact

Successful exploitation enables an attacker to directly interact with the underlying database. This includes reading sensitive data (e.g., user credentials, personal information), modifying or deleting records, and potentially escalating privileges within the WordPress installation. The CVSS v3 score of 7.6 reflects the high confidentiality and integrity impact [1].

Mitigation

The vendor has released version 7.0, which fixes the SQL injection issue. Users are strongly advised to update immediately. For those unable to update, engaging a hosting provider or web developer for assistance is recommended. Patchstack users can enable auto-updates for vulnerable plugins to stay protected [1].